Author Topic: HTML:Malware-gen help plz :( (Read 22512 times)

calypso · « **on:** March 28, 2008, 05:39:44 PM »

It's not an adware . It's called HTML: Malware-gen that's downloading something to my computer
I already have Avast and it's always updated. I don't know where I got this virus/worm. Avast can detect it when it tries to download something and stops it but when I scan to try to remove it, it can't be detected.

how can i remove this virus? :'(
sorry for my english

DavidR · « **Reply #1 on:** March 28, 2008, 06:17:18 PM »

Although you don't give much information, I believe this was detected by the Web Shield provider. If so the alert would only have given one option, to abort connection (see image example), that stops the file being downloaded. So it 'won't appear on your system, that is why you can't find it.

calypso · « **Reply #2 on:** March 28, 2008, 07:16:28 PM »

But this letter shows at the opening yahoo messenger, IE7 or Firefox

http://b.imagehost.org/download/0346/01_3.bmp

DavidR · « **Reply #3 on:** March 28, 2008, 07:22:44 PM »

That isn't relevant to whether the virus that avast is alerting on got on to your system.

What is likely is that there is an undetected or hidden trojan on your system that is trying to connect to a web page and download more malware. So as soon as you connect to the internet it tries to download.

What is your Firewall (it should be capable of blocking unauthorised outbound Internet Connections) ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode.
If using winXP or Vista SUPERantispyware On-Demand only in free version.

calypso · « **Reply #4 on:** March 28, 2008, 08:40:24 PM »

thanks for your help

DavidR · « **Reply #5 on:** March 28, 2008, 09:02:41 PM »

No problem, let us know how you get on with the SAS scan.

Welcome to the forums.

calypso · « **Reply #6 on:** March 29, 2008, 06:46:07 PM »

Once again I do not know what to do

FreewheelinFrank · « **Reply #7 on:** March 29, 2008, 06:57:26 PM »

Please post a HijackThis! log.

(Instructions and screen shots on the page linked to.)

DavidR · « **Reply #8 on:** March 29, 2008, 06:59:57 PM »

You have nothing to do in respect of that alert, avast's web shield, intercepted it and stopped it from being downloaded, it isn't on your system. But you do have to identify why the attempts to download it are made, Frank's suggestion of HJT is a good one to see what is running on your system.

Have you downloaded and run SuperAntiSpyware (the blue text is a link) as I suggested ?

In the image I also noticed a Red shield with an X on it, which I believe is the Windows Security Center alerting you to either your AV (unlikely) or Firewall (probably) being disabled ?

If your firewall is disabled there would be nothing to stop files being downloaded to your system.

calypso · « **Reply #9 on:** March 29, 2008, 07:40:16 PM »

This is the file (hijackthis)

http://www.zshare.net/download/9744765c76cc50/

Quote

If your firewall is disabled there would be nothing to stop files being downloaded to your system

no my firewall is enable

FreewheelinFrank · « **Reply #10 on:** March 29, 2008, 07:43:31 PM »

Here it is for others to look at:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:22:14 PM, on 3/29/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Yahoo!\Messenger\yupdater.exe

C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe

C:\Documents and Settings\Calypso\Desktop\HiJackThis.exe

O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

FreewheelinFrank · « **Reply #11 on:** March 29, 2008, 08:06:46 PM »

This entry is suspicious:

O4 - HKLM\..\Run: [Ins3DT] F:\INSTALL4\INS3DT.EXE

What is F:\? A USB drive?

The log seems a bit short, which is suspicious.

It would be worth trying the new avast anti-rootkit tool:

http://forum.avast.com/index.php?topic=33753.0

Also, try some online scans. (Disable avast! while scanning.)

F-Secure

BitDefender

Panda

Trend Micro Housecall
ESET Online Scanner

DavidR · « **Reply #12 on:** March 29, 2008, 08:34:45 PM »

Quote from: calypso on March 29, 2008, 07:40:16 PM

<snip>
Quote
If your firewall is disabled there would be nothing to stop files being downloaded to your system

no my firewall is enable

Well the WSC is reporting something that it monitors is disabled/out of date, etc. What does it say when you double click it (it will show what it is monitoring) ?

If you have a modem/router/firewall it is entirely possible that the WSC doesn't detect it. The other issue is that most hardware router/firewalls don't provide any outbound protection/monitoring. It should be capable of blocking unauthorised outbound Internet Connections.

Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.

You are running HJT from the desktop and it should be in its own folder, it can be installed to any location C:\HJT for example.
C:\Documents and Settings\Calypso\Desktop\HiJackThis.exe

oldman · « **Reply #13 on:** March 29, 2008, 11:28:26 PM »

Follow DavidR's instruction on moving hijackthis.exe to it's own folder. While you are doing that, rename hijackthis.exe to calypso.exe. Then rerun the scan and post the results. You may discover a vundo infection.

psw · « **Reply #14 on:** March 30, 2008, 07:50:29 PM »

If you have firewall you can try to block any (IN and OUT) traffic with 222.216.28.25.
This IP corresponds to (at least) the following
g.asdafdgfgf.com
u.asdafdgfgf.com
t.asdafdgfgf.com
x.asdafdgfgf.com
Previously the similar problems were with ads.adslooks.info and fly.1234214.info
It is not the problem of your PC, but the example of ARPSpoofing in the local net. Somewhere in the local net infected PC is present. This PC substitutes MAC-address in the router table (may be in arp tables of other PC too) and intercepts http traffic inserting scripts etc.

P.S. I have deal with the similar ads.js case yesterday and today.

Author Topic: HTML:Malware-gen help plz :( (Read 22512 times)

calypso

HTML:Malware-gen help plz :(

DavidR

Re: HTML:Malware-gen help plz :(

calypso

Re: HTML:Malware-gen help plz :(

DavidR

Re: HTML:Malware-gen help plz :(

calypso

Re: HTML:Malware-gen help plz :(

DavidR

Re: HTML:Malware-gen help plz :(

calypso

Re: HTML:Malware-gen help plz :(

FreewheelinFrank

Re: HTML:Malware-gen help plz :(

DavidR

Re: HTML:Malware-gen help plz :(

calypso

Re: HTML:Malware-gen help plz :(

FreewheelinFrank

Re: HTML:Malware-gen help plz :(

FreewheelinFrank

Re: HTML:Malware-gen help plz :(

DavidR

Re: HTML:Malware-gen help plz :(

oldman

Re: HTML:Malware-gen help plz :(

psw

Re: HTML:Malware-gen help plz :(